CVE-2021-33330 CORS should not work with Portal Session authentication

Description

Liferay Portal 7.2.0 through 7.3.2 allows access to Cross-origin resource sharing (CORS) protected resources if the user is only authenticated using the portal session authentication, which allows remote attackers to obtain sensitive information including the targeted user’s email address and current CSRF token.

Severity

Severity 2

Fixed Version(s)

Acknowledgments

This issue was reported by Prajwal Khante

Publication date: Mon, 10 May 2021 16:00:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.